Naavi.org

ITA 2000 has been the epoch making legislation in India which is now being considered for a major revision.

The revisions are focussed mainly on how to bring new technology such as AI or Meta Verse or Blockchain or Quantum Computing into a clear legal framework. to be. In the mean time, the advent of another key legislation in the Cyber field namely the DPDPA 2023 has opened up another need.

DPDPA 2023 is focussed on disciplining the data fiduciaries with stringent penalties for non compliance. For this purpose the Data Protection Board (DPB) will act as the adjudication authority under DPDPA 2023 receiving complaints, conducting an Inquiry and determining the penalties.

For effective functioning of the DPB there is a need for complaints to reach them so that they can take up the inquiries. If no complaints come forth, the possibility of DPB conducting its own surveillance and take suo moto action is remote. If any data breach incident comes to the media attention, then DPB may take up the inquiry. Otherwise the DPB may not be actively scouting the market space to identify potential violators of basic personal data protection principles.

Data Principals who are unhappy with any data fiduciary who may be a mobile app service owner or a website owner may initially report to the DPB enthusiastically about permissions being collected in excess of the requirement etc. However, after a while data principals will realize that any complaint made by them may invoke an inquiry and penalty for the data fiduciary but may not result in any compensation to be available to them. Public interest reporting may be even discouraged by the DPB which may stick to the complaints of data principals who have a cause of action against the data fiduciary such as any of his rights of access, right of grievance redressal etc has not been complied with.

Naavi.org has already initiated an action plan to create some kind of recognition to the data principals who file complaints with the DPB and contribute to the cleaning of the system.

However, those data principals who need to pursue a claim of compensation may find that they only have a remedy under ITA 2000 and making a complaint with the Adjudicator claiming contravention of Section 43 with any other sections and claiming the compensation.

When Section 43A was introduced, there was one case in Bengaluru where an advocate successfully argued (Later over ruled by the appellate authority) that Section 43A will apply to body corporates and Section 43 will apply to others. WIth Section 43A being removed, there will be no confusion now that in any event of a wrongful loss suffered by a person and a contravention of ITA 2000 is identified, the remedy for compensation lies under IAT 2000 with an adjudication.

We can therefore see that demand for adjudication may increase. Also since adjudication is based on evaluation of the value of wrongful loss, it will be necessary for the adjudicator to assess the “Valuation” of personal data for the purpose of providing compensation. In many cases, the per-capita loss may be small but the aggregate loss of a community may be large. In such cases, adjudicator may have to allow class action, or take up suo-moto investigation, collect compensation for a group and distribute it to the affected persons.

At present it appears that the Adjudicators under ITA 2000 who are IT secretaries in States, may not be either inclined for such extended duties nor they may be equipped to take up personal data valuation and distribution of compensation.

If therefore the system of penalizing data fiduciaries donot take off, data principals will also lose interest in making complaints and hence the society is unlikely to see any noticeable improvement in the privacy protection culture of organizations.

It is therefore necessary to strengthen the Adjudication system under ITA 2000 and make it ready to take on the increased work load.

In this context Naavi.org urges that the old system of designating the IT secretary as the Adjudicator should be replaced and a dedicated Adjudicator should be appointed in each state under the judicial system itself. Hence there is a need for initiating an action plan to set up a new Adjudication offices in each State with a judicial person in charge and MeitY to modify its notification of March 2003 and recognize any such Adjudication offices set up by the judicial system as the Adjudicator of the State and relieve the ITA secretary.

This is also necessary for another reason since many of the complaints under DPDPA 2023 may be raised against Government bodies and there will be a perceived conflict of interest between the ITA secretary as a servant of the Government and the respondent of the complaint. The celebrated case of Gujarat Petrosynthese Ltd vs Axis Bank which suffered due to the mis interpretation of the applicability of Section 43/43A was an example of such a conflict since the IT secretary was also the e-Governance secretary and the respondent Axis Bank was also the Banker for the e-Governance department.

It would be therefore ideal if the change of the Adjudication system from the IT secretaries to the judicial system starts from Karnataka itself. I request institutions interested in public good to take up this initiative.

Naavi

Register at www.idps2023.in

FDPPI’s flagship event IDPS 202x is an event that every Data Protection Professional looks forward to.

This year’s IDPS namely IDPS 2023 is happening as a hybrid event in partnership with Manipal Law School, Yelahanka, Bengaluru at the MLS auditorium.

Register at www.idps2023.in today

In interpreting any personal data legislation, there is a need to clearly understand the term “Personal Data”. The definition of “Personal Data” has to also relate to the definition of “Person” and “Business Contact data”.

In DPDPA 2023 Personal Data is defined as any data about an individual who is identifiable by or in relation to such data. Note that the term used here is “Individual” not person. Hence personal data is individual data.

On the other hand, “Person” is defined as including an individual, HUF, Company, firm, association of persons, State and every artificial juristic person. This definition is relevant to “Person” for being considered as a “Data fiduciary”.

Many professionals get confused and think data about a company is also “Personal Data”. I hope the above provides clarity in this respect.

DPDPA does not define “Business Contact Data”. However Section 8(9) mandates that a Data Fiduciary shall publish the business contact information of the DPO/Compliance officer.

In Singapore PDPA 2012, “business contact information” is defined as an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes;

In the GDPR scenario, work email is considered part of “Personal Information” .

Will Indian DPDPA 2023 refer to Singapore definition or GDPR definition may be clarified later in the notification.

At present we can conclude that since “Business Contact Information” is an information which is mandatorily made public under Section 8(9) of DPDPA 2023, it is not subject to the rights associated with Personal Information. Hence the definition is in tune with Singapore information.

The GDPR definition is not practical since DPO is a point of contact for any data subject contact and hence his contact information such as the e-mail address and perhaps a telephone number has to be made public. Probably the GDPR can be interpreted to require publishing of the email ID of the DPO as dpo@domain.com and not by name of the DPO. In the Singapore law there is a clear understanding that if the information is for business purpose and not solely for personal purpose it is considered as Business Contact address. This is more logical and fits into the Indian definition.

There is another aspect of Personal Data that needs clarification worldwide. It is related to “Transaction Data”. Just as we say two hands are required to clap or give a high five, two (or more) persons are required for a conversation or a transaction.

Any data generated in such an interaction has to be considered as jointly belonging to all the participants of the event.

Hence data related to a joint activity should not be considered as personal data of either of them but a transaction data between both of them. Both will therefore have equal right on the data.

In case of personal conversation like the telephone conversation, there should be a right for each of them to record. If A sends an email to B, B can use the e-mail data at his discretion and cannot consider it as personal data of the sender.

Similarly in an E Commerce transaction or a business transaction the data related to what Mr A bought and for how much etc., is not to be considered as Personal Data but as “Transaction Data”.

Justice Srikrisha in his report of 2018 mentioned the need to consider “Community Data” as a category of data for which law has to be created outside PDPB 2018 which he suggested as the law for personal data. Subsequently Kris Gopalakrishna Committee also endorsed the view that data created by a group is Non Personal Data .

Now it is time to reiterate this concept that Data generated jointly by more than one individual or between an individual and an organization (which includes the Business E-Mail in the name of the company) is not “Personal Data” but is “Joint Personal Data” or “Non Personal Data”.

Naavi

Naavi is pleased to wish you all a Happy and prosperous Diwali.

Naavi.org was born under the motto, “Let’s Build a Responsible Cyber Society”. In pursuance of this objective, special movements such as the Karnataka Cyber Laws Awareness Movement was undertaken to promote ITA 2000.

Now a time has come to take efforts to bring about compliance to DPDPA 2023 across the country.

We are aware that there are several organizations who are unhappy with DPDPA 2023 and even we may have some suggestions. But we believe that we need to implement what is on hand and improvements will follow.

Naavi is closely associated with FDPPI and through FDPPI several projects are being implemented for promotion of Data Protection Eco system in India.

Now Naavi.org has started a new campaign to drive home the concept of “Duty of a Data Principal”.

Under DPDPA 2023, Section 15, the following duties are imposed on Data Principals

(a) To comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;

(b) To ensure not to impersonate another person while providing her personal data for a specified purpose;

(c) To ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;

(d) To ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and

(e) To furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.

It is therefore necessary for all members of public to understand the essence of the above duties and take measures to abide by them.

Naavi.org intends to add another voluntary duty to the above list namely

…..To report any observation of contravention of DPDPA 2023 to the DPB.

We are aware that DPDPA 2023 imposes obligations to Data Fiduciaries and non compliance to the provisions of the Act may be penalized to the extent of Rs 250 crores or more.

However it would be difficult for DPB to be aware of all contraventions by thousands of Data Fiduciaries in India. They may be able to take notice of data breaches when reported in the media but the real improvement in the protection of personal data of the public will come when every mobile app and every website is able to comply with the laws. Hence we are requesting all Data Principals to take up the responsibility of filing an appropriate complaint with the DPB.

At the same time we are aware that DPDPB 2023 does not provide for compensation payable to the Data Principal for any loss of privacy. Such compensation where feasible has to be claimed under ITA 2000 as a part of the adjudication mechanism. On the other hand DPDPB discourages filing of false complaints and can impose a fine of Rs 10000/- if false complaints are made.

In view of the remote possibility of the fine as well as the general apathy of our citizens, we anticipate that members of public may be reluctant to make complaints even if the procedure would be as simple as filling up an online form. Some may even feel, why they should file a complaint and DPB would impose a penalty and appropriate the penalty to the Consolidated fund of India.

In the midst of such general attitude, there will always be some dutiful citizens who would take the trouble of bringing DPDPA violations to the notice of DPB.

To recognize this sense of duty and to encourage that attitude, Naavi.org would be interested in providing a “Certificate of Appreciation” to those who register a valid complaint with the DPB. Periodically active participants will be provided additional recognition as may be appropriate. A “Hall of Fame” would be created to place on record consistent efforts of individuals who will take active steps to promote compliance of DPDPA 2023.

At the same time, Naavi and FDPPI will be always ready to provide support to Data Fiduciaries in achieving compliance either before or after a complaint is raised by a Data Principal or to assist them in proposing a Voluntary Undertaking program to DPB in case of any penalty being proposed.

This scheme would come into existence after DPB is established and a procedure for filing a complaint is established .

(P.S: An adhoc recognition has been separately announced for voluntary disclosure regarding Rashmika Mandanna Deep Fame creation in view of its urgency and criticality.)